diff options
Diffstat (limited to 'doc/man/PAM.8')
| -rw-r--r-- | doc/man/PAM.8 | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/doc/man/PAM.8 b/doc/man/PAM.8 new file mode 100644 index 00000000..3622ef7e --- /dev/null +++ b/doc/man/PAM.8 @@ -0,0 +1,99 @@ +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "PAM" "8" "03/12/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +PAM, pam \- Pluggable Authentication Modules for Linux +.SH "DESCRIPTION" +.PP +This manual is intended to offer a quick introduction to +\fILinux\-PAM\fR. For more information the reader is directed to the +\fILinux\-PAM system administrators' guide\fR. +.PP +\fILinux\-PAM\fR +Is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as +\fBlogin\fR(1) +and +\fBsu\fR(1)) defer to to perform standard authentication tasks. +.PP +The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users. This dynamic configuration is set by the contents of the single +\fILinux\-PAM\fR +configuration file +\fI/etc/pam.conf\fR. Alternatively, the configuration can be set by individual configuration files located in the +\fI/etc/pam.d/\fR +directory. +\fIThe presence of this directory will cause \fR\fILinux\-PAM\fR\fI to ignore\fR\fI/etc/pam.conf\fR. +.PP +From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the +\fILinux\-PAM\fR +library. The important point to recognize is that the configuration file(s) +\fIdefine\fR +the connection between applications +(\fIservices\fR) and the pluggable authentication modules +(\fIPAM\fRs) that perform the actual authentication tasks. +.PP +\fILinux\-PAM\fR +separates the tasks of +\fIauthentication\fR +into four independent management groups: +\fIaccount\fR +management; +\fIauth\fRentication management; +\fIpassword\fR +management; and +\fIsession\fR +management. (We highlight the abbreviations used for these groups in the configuration file.) +.PP +Simply put, these groups take care of different aspects of a typical user's request for a restricted service: +.PP +\fIaccount\fR +\- provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service? +.PP +\fIauth\fRentication \- authenticate a user and set up user credentials. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of +\fILinux\-PAM\fR. +.PP +\fIpassword\fR +\- this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the +\fIauth\fR +group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password\-based access is the obvious example: please enter a replacement password. +.PP +\fIsession\fR +\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The +\fIsession\fR +management group is important as it provides both an opening and closing hook for modules to affect the services available to a user. +.SH "FILES" +.PP +\fI/etc/pam.conf\fR +\- the configuration file\fI/etc/pam.d/\fR +\- the +\fILinux\-PAM\fR +configuration directory. Generally, if this directory is present, the +\fI/etc/pam.conf\fR +file is ignored.\fI/lib/libpam.so.X\fR +\- the dynamic library\fI/lib/security/*.so\fR +\- the PAMs +.SH "ERRORS" +.PP +Typically errors generated by the +\fILinux\-PAM\fR +system of libraries, will be written to +\fBsyslog\fR(3). +.SH "CONFORMING TO" +.PP +DCE\-RFC 86.0, October 1995.Contains additional features, but remains backwardly compatible with this RFC. +.SH "BUGS" +.PP +None known. +.SH "SEE ALSO" +.PP +The three +\fILinux\-PAM\fR +Guides, for +\fIsystem administrators\fR, +\fImodule developers\fR, and +\fIapplication developers\fR. |